At 994683614s since epoch (07/09/01 11:00:14 -0400 UTC), Micah Anderson wrote:
> Having said that we do it this way as well, I'll point out one flaw which
> particularly nags at me. Andreas said, "a) allowing convenience by allowing
> the user to effectively choose their own root passwd." which roughly
> equivicates to the difference between having one root password that can be
> cracked to get to the system, to having N+1 root passwords that can be
> cracked to get at the system (where N=number of admins with sudo access). At
> this point it is a toss up - is the convenience of not having to pass around
> the root password to all the admins worth the additional cracks? Do you
> trust each admin to be secure with both their password choices as well as
> the rest of their actions?
Two things here. First, if you don't trust your admins, then you've
got problems. If they don't need to do much, you can always just
write them custom software (for example, if the admins only need to
change passwords, just give them an suid password-changing script).
But if they need to do a fair amount, then you're just going to have
to trust them at some point. It's hard enough to keep regular users
from getting root; keeping admins from doing it is just insanity.
About the best you can hope for is to log to another machine (so
sudoers can't hose your logfiles), and be vigilant about checking what
they do.
Anyway, to your point about passwords, I say again (do we detect a
theme?): use PAM and make them use a different password for sudo. If
you want to get real draconian, you can make them use OTP (one-time
passwords). This isn't the greatest idea, though, because it
encourages the use of 'sudo -s' to avoid password hassles. Barring
that, however, you can make them use a different password from their
login. Assuming they use ssh and not telnet (they DO use ssh,
right???), a comprimise of the first doesn't lead to an immediate
comprimise of the second. Yes, clever hackers will insert trojans to
sniff that second password, but there are ways around that (OTP,
anyone??).
As usual, this will boil down to the big Theory vs Practice argument.
In theory, sudo shouldn't let peple break out of their little
semi-root cage, and you should be able to not totally trust your
admins. But alas, this isn't so. You'll have to do the best you can
with sudo, log like crazy, and apply The Smack to anyone who "plays"
with sudo too much. Combine this with a strong policy of ssh, good
passwords, and sudo policy (separate passwords, time restrictions,
command restrictions), and I think you're doing the best you can.
And, like I said, it's better than plain 'ol su, no matter how you
slice it.
Jason
--
Jason Healy | jhealy@logn.net
LogN Systems | http://www.logn.net/